Sponsored by..

Tuesday, 29 September 2015

Malware spam "Info from SantanderBillpayment.co.uk" / "Santanderbillpayment-noreply@SantanderBillPayment.co.uk"

This fake financial spam comes with a malicious attachment:

From     "Santanderbillpayment-noreply@SantanderBillPayment.co.uk" [Santanderbillpayment-noreply@SantanderBillPayment.co.uk]
Date     Tue, 29 Sep 2015 12:33:56 GMT
Subject     Info from SantanderBillpayment.co.uk

Thank you for using BillPay. Please keep this email for your records.

The following transaction was received on 29 September 2015 at 09:11:36.

Payment type:          VAT
Customer reference no: 0343884
Card type:            Visa Debit
Amount:                GBP 4,683.00

For more details please check attached payment slip.

Your transaction reference number for this payment is IR0343884.

Please quote this reference number in any future communication regarding this payment.

Yours sincerely,

Banking Operations

This message is intended for the named person above and may be confidential, privileged
or otherwise protected from disclosure. If it has reached you by mistake please contact
the sender on 0300 200 3601 and delete the message immediately.

Emails aren't always secure, and they may be intercepted or changed after they've
been sent. Santander doesn't accept liability if this happens. If you think someone
may have interfered with this email, please get in touch with the sender another
This message doesn't create or change any contract. Santander doesn't accept responsibility
for damage caused by any viruses contained in this email or its attachments. Emails
may be monitored. If you've received this email by mistake, please let the sender
know at once that it's gone to the wrong person and then destroy it without copying,
using, or telling anyone about its contents.

Santander Corporate Banking is the brand name of Santander UK plc, Abbey National
Treasury Services plc (which also uses the brand name of Santander Global Banking
and Markets) and Santander Asset Finance plc, all (with the exception of Santander
Asset Finance plc) authorised and regulated by the Financial Services Authority,
except in respect of consumer credit products which are regulated by the Office of
Fair Trading. FSA registration numbers: 106054, 146003 and 423530 respectively.
Registered offices: 2 Triton Square, Regent's Place, London NW1 3AN and Carlton Park,
Narborough LE19 0AL. Company numbers: 2294747, 2338548 and 1533123 respectively.

Registered in England. Santander and the flame logo are registered trademarks.
The attachment is named SantanderBillPayment_Slip0343884.zip although I have not been able to get a working copy. The payload is most likely the Upatre/Dyre banking trojan. My sources tell me that the current wave of this is phoning home to in Nigeria which is worth blocking or monitoring.

No comments: